Voting By Cell Phone Is A Terrible Idea, And West Virginia Is Probably The Last State That Should Try It Anyway

from the industrialized-incompetence dept

So we've kind of been over this. For more than two decades now we've pointed out that electronic voting is neither private nor secure. We've also noted that despite this several-decade long conversation, many of the vendors pushing this solution are still astonishingly-bad at not only securing their products, but acknowledging that nearly every reputable security analyst and expert has warned that it's impossible to build a secure fully electronic voting system, and that if you're going to to do so anyway, at the very least you need to include a paper trail system that's not accessible via the internet.

Having apparently learned nothing, reports emerged this week that West Virginia is considering launching an initiative that would let some state residents vote via cellphone. To be clear, the effort initially appears focused on letting troops stationed overseas vote. Not surprisingly, more than a few folks were quick to highlight to CNN how this would be an arguably terrible idea:

"Mobile voting is a horrific idea," Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, told CNN in an email. "It's internet voting on people's horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote."

Marian K. Schneider, president of the election integrity watchdog group Verified Voting, was even more blunt. Asked if she thought mobile voting is a good idea, she said, "The short answer is no."

Given security analysts routinely aren't sure whether or not our existing voting systems may have been compromised by actors foreign and/or domestic, and the federal government just got done making it clear election security isn't a priority with an idiotically-partisan vote, it seems like a pretty terrible time to begin trying to implement new online voting efforts. And if you've watched West Virginia's blistering corruption when it comes to sectors like the telecom industry, the state is probably the last state in the union that should be attempting such a voting system overhaul.

Judging from online conversations, the company that's building the new West Virginia system (Voatz) may not be the best choice either, since it doesn't appear capable of securing its own website:

The Voatz website is running on a box with out of date SSH, Apache (multiple CVSS 9+), PHP etc. https://t.co/o1RvrLbQ0S

Comforting. Ideally, the system would involve a user first registering by taking a photo of their government-issued ID and a selfie-video of their face, which are then registered via the app. Voatz claims the company's facial recognition software will then ensure the photo and video submitted are of the same person, with users then able to cast their ballot using the Voatz app. Documents the company circulates at trade shows indicate the company utilizes the blockchain to ensure its systems are more secure and "fundamentally different than touchscreen or online voting." But the company has failed to clarify how.

There's roughly a million and one ways this entire process could go to hell, from SS7 vulnerabilities to man in the middle attacks everywhere along the chain between your device and the Voatz database. And if there's not a hard paper trail, it opens the door to any number of undetectable changes that could happen during transit. Of course this has all been repeatedly stated countless times over the last few decades, but it's a message that's still not apparently getting through.